08-08-2011 12:08 AM - edited 03-11-2019 02:08 PM
Dear all,
I' d like to have some support for a very-basic PIX firewall configuration.
I 'm dealing with PIX 515 's inside/outside/dmz zones.
Inside hosts can ping inside interface , outside hosts outside interface and so on....
I cannot ping outside interface from inside hosts.
(i.e ping 192.168.02 from 10.10.10.100)
inside network 10.10.10.0/24
outside network 192.168.0.0/24
I think i properly set nat and access lists, and furthermore from icmp trace it seems that translation is perfomed, but echo -reply is missing.
in the attached file you can find the pix configuration and test.
I think that some PIX expert can easily find out the problem
thanks for the support
Mauro
Solved! Go to Solution.
08-09-2011 01:20 AM
Hi Mauro,
Thats good, I am glad I was able to clear your doubts
Take care
08-08-2011 12:11 AM
Hi Mauro,
Due to design issues, you would never be able to ping a remote interface on the ASA, this is not possible, although you can ping hosts which are connected to these two interfaces, if you are facing an issue with that, do let me know.
Hope this helps,
Thanks,
Varun
08-08-2011 01:37 AM
Dear Varun, thanks for the reply
I'm not dealing with ASA , but with a Pix515 : i tested that outside interface replies to ping ( from outside hosts) and I've read in a Pix firewall book that it would be possible to test connectivity from inside to outside by means of "ping"
That's happen if operator enable icmp any any outside and define an access-lis in this way:
"access-list acl_out permit icmp any any"
and apply to outside interface
"access-group acl_out in interface outside"
I executed the last 2 tasks but ping from inside host (10.10.10.100) to outside interface (192.168.0.2) sistematically fails.
I cannot even ping from inside host ( 10.10.10.100) to an outside host ( 192.168.0.x)
PiX firewall send the echo-request to outside I guess ( because NAT translations occurs) but no echo-reply ever happens.
08-08-2011 01:45 AM
Hi Mauro,
M sorry, i meant PIX, but it is true for pix as well, you would not be able to ping remote interafce on the firewall.
"I've read in a Pix firewall book that it would be possible to test connectivity from inside to outside by means of "ping" "
What this means is if you have two hosts connected to the inside and outside, then it would ping, like:
host1 ----------------------------outside(PIX)inside----------------------------------host2
10.1.1.1 10.1.1.2 20.1.1.2 20.1.1.1
Now you would be able to ping from host2 to host1 but not host2 to outside interface, that is not possible.
For pinging from host2 to host1, you would need the following config:
access-list out_in permit icmp any any
access-group out_in in interface outside
nat (inside) 1 20.1.1.1 255.255.255.255
global (outside) 1 interface
this should work for you.
Hope this helps.
Thanks,
Varun
08-08-2011 02:44 AM
Your drawing is a good idea and useful to undestand the matter. I try to track again your approach :
in my case host2 (20.1.1.1) can ping inside( 20.1.1.2) ........ ok!!
host1(10.1.1.1) can ping outside(10.1.1.2) ........ok!!
I can take for grant that host2 cannot ping outside interface ( from you statement). ...........ok!!!
You finally state that host2 can ping host 1 with the following additional commands:
a)access-list out_in permit icmp any any ---> got it ( access-list acl_out permit icmp any any)...ok!!
b)access-group out_in in interface outside----> got it ( access-group acl_out in interface outside)....ok!!!
c) " nat (inside) 1 20.1.1.1 255.255.255.255" ------> should not be act as my command "nat(inside) 1 0 0 "??
d) global (outside) 1 interface -----> what does it excutes? natting with only-outside interface ip address?
should not be similar to my command "global (outside) 1 192.168.0.10- 192.168.0.62" which instead define a pool of outside addresses for natting?
If these assumptions are true, I would already have nat and global command in my configuration properly set , but I tested that host2 cannot ping host1 up to now.
08-08-2011 02:59 AM
Hi Mauro,
The nat statements that i gave you were only for reference, you can use any value that you want.
you can either use:
nat (inside) 1 20.1.1.1 255.255.255.255
global (outside) 1 interface
or
nat(inside) 1 0 0
global (outside) 1 192.168.0.10-192.168.0.62
both are correct.
Now you said that you are not able to ping host2 from host1????
to troubleshoot it, plz take logs and debugs and check where the traffic dropping.
Take captures as well. As per the configuration it should work.
https://supportforums.cisco.com/docs/DOC-1222
Thanks,
Varun
08-08-2011 04:14 AM
Thanks for the hint!
I'll test again with capture switch on . Hope this help to collect more info
regards
Mauro
08-09-2011 01:17 AM
The configuration was correct. host1 can ping host2.
I was only wrongly testing cause i was referencing outside interface, that , as you said never answers to ping.
Thanks for the support!
Mauro
08-09-2011 01:20 AM
Hi Mauro,
Thats good, I am glad I was able to clear your doubts
Take care
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide